Java Security

Hi all,

This is a request for help and/or tips (or any information that might bring me closer to a solution).

Java has a standards compliant implementation of Kerberos for the GSS (Generic Security Services) API. However, Windows is not standards compliant out of the box, and requires a Registry setting to work ("allowtgtsessionkey"). That Registry setting degrades security.

Instead of Java's default Kerberos implementation, I am looking into using an Open Source implementation of GSSAPI that talks to Windows in the way Windows expects, through Windows SSPI (Security Support Provider Interface). That implementation is called gsskrb5.dll and is a native Windows library: ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/

Does anyone have any tips on how I need to go about getting Java to use the external GSSAPI implementation (gsskrb5.dll) instead of its own internal one?

So far, I have concluded the following:

* I create a mechanism like this: Oid mechanism = new Oid("1.2.840.113554.1.2.2"); //specifies Kerberos, and is what gsskrb5.dll's author says is the correct Oid.
* I call org.ietf.jgss.GSSManager.getInstance().createCredentials() with the above mechanism, but that fails for different reasons.
* I beleive there is a problem with gsskrb5.dll not being used at all.
* Just loading gsskrb5.dll with System.load() or System.loadLibrary() is not enough.
* I think I need to either use one of the following, or create an alternative implementation that wraps gsskrb5.dll:
** sun.security.jgss.SunProvider
** sun.security.jgss.wrapper.SunNativeProvider

It would be nice if I don't have to implement a JNI wrapper for gsskrb5.dll (even using JNA which seems good enough). If there is any way I can just "plug in" the correct configuration if Sun's classes are prepared for using an external implementation, would make me happy :))

What do you guys think??

--
Hugo Josefson
__________________
+46 706 902 228
www.jayway.com/opensource
Founders of Öredev and Qi4J